With access rules, you can secure levels, level attributes, accounts, and custom dimensions. You then use secured dimensions and attributes to define specific intersections of data that users or groups can edit or view.
You use a spreadsheet template to create the rules. You can either replace all existing rules with the template or update and append the rules.
Access rules describe specific intersections of dimensions in your model. If a user's rules conflict with each other at a specific intersection, the access defaults to the more permissive rule.
Documentation to read:
- New to access rules? See Concept: Access Rules and Transition to Access Rules.
- The template uses hierarchy logic for every secured dimension. See Concept: Hierarchies and Access Rules.
- Access to data depends on various access controls throughout the model. For start-to-finish instructions, see Steps: Set Up Access Rule Security.
- For best practices, see Reference: Access Rules and Your Model.
- You may also be interested in Create Dynamic Access Rules.
Actions to complete:
- Complete your model's structure, including the levels, accounts, and custom dimensions.
- Have your level, level attributes, account, and custom dimension hierarchies viewable as you create rules. For all accounts except modeled accounts, you need the account code. For modeled accounts, you need the sheet name.
- Create the users and groups.
Best Practices: If you have a lot of users, or often add new users, create rules for user groups. Then add each user to a group to immediately grant them appropriate access. Update the rule per group to update the access of all the users in the group.
From the nav menu, select Administration. From Users and Roles menu, select Access Rules.
Basic Steps to Set Up Access Rules
- Secure the dimensions.
You use the secured dimensions to define access rules.
- Export existing rules or download the template.
The template and the export are spreadsheets.
- Complete the template or edit exported rules.
In the template, list groups or users and assign them rules or a series of rules. You build the user’s access by permitting more with each rule. You can also create rules based on owned levels.
- Import the access rules.
Choose either Update and Append or Replace All to edit existing rules, add new rules, and delete old rules.
- Review the access rules on the table.
Periodically audit your rules, if you make changes to the model, such as adding new levels, reorganizing any hierarchy, or deleting dimension values. See the section "Manage Rules After Model Updates" below.
Secure the Dimensions
Secure accounts, level attributes, and up to three custom dimensions. Levels are secured by default.
- From the toolbar, click the Add button. The list includes accounts, level attributes, and available custom dimensions. Some custom dimensions aren't available because their settings disqualify them. See the section, Eligible Dimensions, that follows.
- Select from the list and click Add.
- Review the table: The dimensions and attributes you added appear as columns on the page and also in the template or export. See Concept: Access Rules Interface Tour.
Eligible Custom Dimensions
Custom dimensions may not appear in the list for various reasons:
- The dimension has over 10,000 values.
- You already have three custom dimensions secured. Contact us if you require more than three custom dimensions.
- The dimension has the Use on Level or Data import automatically creates dimension values setting selected.
- The dimensions might be on modeled and cube sheets with a sheet setting that allows users to edit dimension values from the sheets.
To update the dimension settings:
- Go to Modeling > Dimensions.
- From the list of dimensions, select the dimensions you want to secure.
- Uncheck the settings.
- Return to the access rules and the dimension appears in the list.
To update the sheet settings:
- Find the sheets that have the dimension you want to secure. From the nav menu, select Modeling and select the arrow. Then select Overview.
- For modeled sheets, double-click each modeled sheet icon. Dimensions on the sheet appear in the Column Details.
- For cube sheets, double-click each cube sheet icon. Dimensions appear in the Dimension Details.
- Once you know which sheets have the dimension, go to Modeling > Level Assigned Sheets or User Assigned Sheets. Find the sheet with the dimension, and edit:
- For modeled sheets, select Columns and Levels.
- For cube sheets, select Dimensions, Attributes, and Levels.
- Select the dimension you want to secure from the canvas to edit its settings and save the sheet:
Export the Rules or Download the Template
When you export the rules, your template includes existing rules. When you download the template it's a blank excel file.
From the toolbar, select Export. Save the file to your computer so you can make changes.
Download the Template
- Select Import from the toolbar.
- Select the Download Template link.
- Save the template to your computer so you can make changes.
Complete the Template or Edit the Export
Template Interface Tour
You can create rules for either a username OR a group name. Each secured dimension and attribute has a Grant column and a Grant All Except column. For each secured dimension or attribute in the rule, enter data either in the Grant column OR the Grant All Except column. Ask yourself if it is more efficient to list all the grants, or to list all the exceptions.
If you're listing more than one value, add a new row for each value. Several rows can make up one rule.
For the next rule, enter the Access Type in a row below the last listed dimension.
Don't add more than three blank rows between each rule. Any content after the third completely blank row is not imported.
The accounts listed are accessible only at the levels and custom dimension values listed in the same rule and vice versa. For example, one of the rules assign John Doe access to the Sales Detail account group at the Sales level. The other rule assigns him access to the Expenses account group at G&A. He cannot access the Sales Details accounts at the G&A level or vice versa.
- Open the template or exported rules.
- In the Access Type column, enter the type of access for the rule: Edit, Full View, Limited View.
- Enter either the username or the group name. If you enter a group name, the rule is for all users assigned to that group.
- Define level access for the rule, entering one level per row:
- To give access to all the levels, enter (+) or the name of the top level in the Grant column.
- To give access to a level and its descendants, enter the name of the parent level in the Grant column. This excludes ancestors.
- To give access to the owned levels, enter (~) in the Grant column. See the Create Level Owner Access Rules section below.
- Or, in the Grant all Except column, list the parent levels or child levels. This removes access to the levels listed, their ancestors, and their descendants. It gives access to all other levels. You can create other rules that give access to descendants of levels listed here.
The only way to give access to an (Only) level is to give access to the parent and all descendants.
- (Optional) Define account access, entering one account per row:
- To give access to all accounts, enter (+) in the Grant column.
- To give access to entire account hierarchies, enter GL Accounts, Custom, Metric, Assumptions, Cube, or Modeled in the Grant column.
- To give access to all accounts in a group, enter the group name, modeled sheet name, or cube sheet name in the Grant column.
- To give access to an account and all its descendants, enter the account code of a parent account in the Grant column. This excludes ancestors.
- Or, list the account codes, group names, or hierarchy names in the Grant all Except column. This removes access to the accounts listed, their ancestors, and their descendants. It gives access to all other accounts. You can create other rules that give access to descendants listed here at different intersections.
- (Optional) Define custom dimension access, entering one value per row for each dimension:
- To give access to all the dimension's values, enter (+) in the Grant column. This includes the all value, or the dimension rollup.
- To give access to level, account, and split rollup values on standard sheets, enter (+) in the Grant column. See Access Rules and Your Model.
- To give access to specific values, enter the value names in the Grant column. This excludes the all value, or rollup, and parent values in hierarchical dimensions.
- To give access to only the root uncategorized value, enter (-) in the Grant column.
- Or, list the value names in the Grant all Except column. This excludes the all value. For hierarchical dimensions, list the parent to remove access to the parent, its descendants, and its ancestors. You can't list the root uncategorized value in this column. There is no way to remove access from the root uncategorized value.
Every rule automatically gives access to the root uncategorized value of custom dimensions.
- (Optional) Define level attribute access, entering one value per row.
The level attribute values listed only apply to the levels listed in the same rule.
- Save the template. You can change the name of the template file. Don't change the extension, the sheet names, or the column headers.
Many rules work together to create access per user or group. For example, these two rules work together to grant John Doe's data access:
The rules alone result in different access:
- The first rule says John has no access to the FP&A level. He has access to all other levels for all accounts and all product dimensions.
- The second rule says John only has access to the FP&A level and no other levels. The only accounts he can't edit are the Salaries and Personnel accounts.
The rules together have a different result. John can edit everything except the Personnel and Salaries accounts at the FP&A level.
Find Account Codes
The codes are in the account lists in the Code column. You can use an API to pull all account codes or you can go to Modeling for:
- Modeled account codes: Use the sheet name
- Cube account codes: Click Level-Assigned Sheets or User-Assigned Sheets. Click Edit next to the cube or modeled sheet name. Click Cube Accounts. The codes appear in the hierarchy list.
- System account codes: Click General Ledger Accounts or Custom Accounts from Account menu. System accounts have a special icon in the account lists. The codes appear in the hierarchy list.
- Any other account codes: Click on any type of account from the Accounts menu. The codes appear in the hierarchy list.
- Exchange rate accounts: Use the following protocol:
- Go to Modeling > Currency.
- Replace FromCurrencyCode and ToCurrencyCode with your model's currency code for each. Codes for each currency are in the Currency section.
- Replace RateCode with the exchange rate type code. Codes for each exchange rate type are in the Exchange Rate Types section.
Import Access Rules
When you import the rules, you can either:
- Replace All: Deletes all existing rules and adds the rules that are in your template.
- Update and Append:
- Replaces corresponding rules for users or groups with existing rules. For example, say you add one rule in the template for the Accountants group. Update and Append replaces all the existing rules for the Accountant group with the one new rule. If you intend to add an additional rule to this group, export the existing rules and then add one more rule. The import then includes the existing rules as well as the new rule.
- Adds rules for new users or groups. For example, say the template only has rules for new users or groups that before had no rules. Update and Append adds the news rules and leaves all existing rules as-is.
Import the Rules
- From the toolbar, select Import.
- Select the Replace All radio button, or Update and Append radio button.
- Drag and drop your saved file into the square or click anywhere in the square and select your saved file.
- If adding and appending, select Done when you get the success message.
- If replacing all, select the Replace All button to confirm. When you get the success message, select Done.
Correct Import Errors
If there are errors in the import, you get an error message when you import the template. To correct them:
- Select the Download Report link beneath the error message.
- Open the file and select the Errors sheet. Rows with errors are yellow. The error message appears in the cell with the error in red text.
- Select the cell with the error to read the full message.
- Select the Import sheet and find the corresponding rule. It's on the same row as the error is in the Errors sheet.
- Correct the error and save the file.
- Try importing again.
Best Practice: Work with your team to see how the new access rules affect them. Refine the rules as needed.
Review the Access Rules Table
The rules on the screen don't look the same as the rules in the template. Each dimension column lists the values granted and there's no Grant All Except column. For example, if you listed two levels in the Grant All Except column in the template, the rule on the screen lists all the levels except the two. If a level column is blank on the screen, it means that the rule gives no access to any levels. If the account or custom dimension columns are blank, it means that the rule gives access to all the accounts and custom dimension values. See Concept: Access Rules Interface Tour.
Remove Secured Dimensions and Level Attributes
Remove custom dimensions, level attributes, or accounts from your access rules from the main screen. When you remove a dimension, all users have full access to that dimension and its values.
- Hover over the dimension column name until three vertical dots appear.
- Click the dots and select Remove.
Remove Secured Levels
You can't remove levels from access rules. If you don't want levels to control access, assign the top level to every user and group.
Delete Access Rules
- From the toolbar, select Export.
- Open the file and delete rules from the spreadsheet. Don't make any other changes to the other rules.
- Save the spreadsheet.
- Return to the access rules page.
- From the toolbar, select Import.
- Select the Replace All radio button.
- Select the Replace All button to confirm. The template has all the rules that you didn't want to delete.
- Select Done when you see the success message.
Audit and Correct Invalid Access Rules
When you update your model, associated rules automatically update according to the hierarchy. See Concept: Hierarchies and Access Rules.
If you create an account, level, or dimension value:
- At intersections where you can access the parent, you can also access the new child.
- At intersections where you can't access the parent, you can't access the new child. This is true even if you can access all the siblings of the new child.
Deleted accounts, levels, or dimension values, get removed from the rule. This can make existing rules invalid or change the access. If your rules only give you access to the deleted:
- Account at various intersections, you lose all access to data and your rules become invalid.
- Level at various intersections, you lose all access to data and your rules become invalid.
- Custom dimension value at various intersections, the rule updates to include only the uncategorized value. The rule remains valid.
To find and correct invalid access rules:
- Go to Administration > Access Rules.
- Click Export.
- Save the file and don't make any changes to any rules.
- From the access rules screen, click Import.
- Drag and drop the exported file into the box.
- If there are any invalid rules, you get an error with a link to the error report. Use the report to correct any errors in the rules and import again.